OpenStack Introduction for Ubuntu Part I
OpenStack is an open source cloud-computing project for public and private clouds managed by the OpenStack Foundation, the mail goal of this project is provide an Infrastructure as a Service (IaaS) plataform. This post series are an introduction about how can be the platafform installed on Ubuntu 12.04 (LTS). At this link a complete installation guide can be found
- OpenStack Dashboard (http://www.openstack.org/software/openstack-dashboard/): Graphical interface to access, provision and automate cloud-based resources.
- OpenStack Compute (http://www.openstack.org/software/openstack-compute/): Cloud operating system that enables enterprises and service providers to offer on-demand computing resources, by provisioning and managing large networks of virtual machines.
- OpenStack Networking (http://www.openstack.org/software/openstack-networking/): Pluggable, scalable and API-driven system for managing networks and IP addresses.
- OpenStack Storage (http://www.openstack.org/software/openstack-storage/): Object and Block storage for use with servers and applications.
- Identity Service (http://www.openstack.org/software/openstack-shared-services/): Central directory of users mapped to the OpenStack services they can access.
- Image Service (http://www.openstack.org/software/openstack-shared-services/): Provides discovery, registration and delivery services for disk and server images.
- Telemetry Service (http://www.openstack.org/software/openstack-shared-services/): Aggregates usage and performance data across the services deployed in an OpenStack cloud.
- Orchestration Service (http://www.openstack.org/software/openstack-shared-services/): Template-driven engine that allows application developers to describe and automate the deployment of infrastructure.
Basic architecture with OpenStack Networking (Neutron)
- The controller node runs the Identity Service, Image Service, dashboard, and management portions of Compute and Networking. It also contains the associated API services, MySQL databases, and messaging system.
- The network node runs the Networking plug-in agent and several layer 3 agents that provision tenant networks and provide services to them, including routing, NAT, and DHCP. It also handles external (internet) connectivity for tenant virtual machines.
- The compute node runs the hypervisor portion of Compute, which operates tenant virtual machines. By default, Compute uses KVM as the hypervisor. The compute node also runs the Networking plug-in agent, which operates tenant networks and implements security groups.
Configuring Internal network
Conventional configuration requires two network interfaces on every machine, one for internet communication and another for local network communication, for simplicity we will assume that these interfaces are eth0 and eth1. An example of /etc/network/interfaces configuration file for controller node can be:
# Internal Network auto eth0 iface eth0 inet static address 192.168.0.10 netmask 255.255.255.0 # External Network auto eth1 iface eth1 inet static address 10.0.0.10 netmask 255.255.255.0
hostname command to set the host name:
# hostname controller
To configure this host name to be available when the system reboots, you must specify it in the /etc/hostname file, which contains a single line with the host name.
For a simple example edit hosts file and add all the hostnames, real systems should use a dns or a system like chef to set up this host list
127.0.0.1 localhost 192.168.0.10 controller 192.168.0.11 compute1
Network Time Protocol (NTP)
To synchronize services across multiple machines, you must install NTP on every node. After install edit /etc/ntp.conf and change the server directive to use the controller node as internet time source.
# apt-get install ntp
Every service require a password. You can generate random passwords using
openssl rand -hex 10 command.
The complete list of passwords you need to define in this guide are:
|Database password (no variable used)||Root password for the database|
||Password of user guest of RabbitMQ|
||Database password of Identity service|
||Password of user
||Database password for Image Service|
||Password of Image Service user
||Database password for Compute service|
||Password of Compute service user
||Database password for the dashboard|
||Database password for the Block Storage Service|
||Password of Block Storage Service user
||Database password for the Networking service|
||Password of Networking service user
||Database password for the Orchestration service|
||Password of Orchestration service user
||Database password for the Telemetry service|
||Password of Telemetry service user
MysqlDb is required to store information Open Stack Information
Mysql Controller Setup
# apt-get install python-mysqldb mysql-server
Mysql Node Setup
apt-get install python-mysqldb
Open Stack Packages
The Ubuntu Cloud Archive is a special repository that allows you to install newer releases of OpenStack on the stable supported version of Ubuntu.
# apt-get install python-software-properties # add-apt-repository cloud-archive:havana # apt-get update && apt-get dist-upgrade # reboot
Install RabbitMQ and change its default password.
# apt-get install rabbitmq-server # rabbitmqctl change_password guest RABBIT_PASS
Configure the Identity Service
Identity Service concepts
The Identity Service performs the following functions:
- User management: Tracks users and their permissions.
- Service catalog: Provides a catalog of available services with their API endpoints.
Install the Identity Service
Install the OpenStack Identity Service on the controller node:
# apt-get install keystone
Edit /etc/keystone/keystone.conf and change the [sql] section.
[sql] # The SQLAlchemy connection string used to connect to the database connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone
Create a keystone database user:
# mysql -u root -p mysql> CREATE DATABASE keystone; mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY 'KEYSTONE_DBPASS';
Create the database tables for the Identity Service:
# keystone-manage db_sync
Define an authorization token to use as a shared secret between the Identity Service and other OpenStack services. Use openssl to generate a random token and store it in the configuration file:
# openssl rand -hex 10
Edit /etc/keystone/keystone.conf and change the [DEFAULT] section, replacing ADMIN_TOKEN with the results of the command
[DEFAULT] # A "shared secret" between keystone and other openstack services admin_token = ADMIN_TOKEN
#service keystone restart
Define users, tenants, and roles
We don't have any users yet for the identity service but we can connect it usign the admin access token, in order to that, we need export next environment variables:
# export OS_SERVICE_TOKEN=ADMIN_TOKEN # export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0
Create a tenant for an administrative user and a tenant for other OpenStack services to use.
# keystone tenant-create --name=admin --description="Admin Tenant" # keystone tenant-create --name=service --description="Service Tenant"
Create an administrative user called admin. Choose a password for the admin user and specify an email address for the account.
# keystone user-create --name=admin --pass=ADMIN_PASS --firstname.lastname@example.org
Create a role for administrative tasks called admin.
# keystone role-create --name=admin
Add roles to users. Users always log in with a tenant, and roles are assigned to users within tenants. Add the admin role to the admin user when logging in with the admin tenant.
# keystone user-role-add --user=admin --tenant=admin --role=admin
Define services and API endpoints
You must register each service in your OpenStack installation using the next commands:
- keystone service-create. Describes the service.
- keystone endpoint-create. Associates API endpoints with the service.
You must also register the Identity Service itself. Use the OS_SERVICE_TOKEN environment variable, as set previously, for authentication.
Create a service entry for the Identity Service
# keystone service-create --name=keystone --type=identity --description="Keystone Identity Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Keystone Identity Service | | id | 19072b6631ec4c0b9d3f93a8b89efd41 | | name | keystone | | type | identity | +-------------+----------------------------------+
Specify an API endpoint for the Identity Service
Use the returned service ID. When you specify an endpoint, you provide URLs for the public API, internal API, and admin API.
# keystone endpoint-create \ --service-id=19072b6631ec4c0b9d3f93a8b89efd41\ --publicurl=http://controller:5000/v2.0 \ --internalurl=http://controller:5000/v2.0 \ --adminurl=http://controller:35357/v2.0 +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | adminurl | http://controller:35357/v2.0 | | id | dcff14339da049fbb42031f4b1490250 | | internalurl | http://controller:5000/v2.0 | | publicurl | http://controller:5000/v2.0 | | region | regionOne | | service_id | 19072b6631ec4c0b9d3f93a8b89efd41 | +-------------+----------------------------------+
Note: As you add other services to your OpenStack installation, call these commands to register the services with the Identity Service
Verify the Identity Service installation
Unset the OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT environment variables
$ unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
You can now use regular username-based authentication. Request an authentication token using the admin user and the password you chose during the earlier administrative user-creation step. You should receive a token in response, paired with your user ID. This verifies that keystone is running on the expected endpoint, and that your user account is established with the expected credentials.
$ keystone --os-username=admin --os-password=ADMIN_PASS \ --os-auth-url=http://controller:35357/v2.0 token-get
Verify that authorization is behaving as expected by requesting authorization on a tenant.
$ keystone --os-username=admin --os-password=ADMIN_PASS \ --os-tenant-name=admin --os-auth-url=http://controller:35357/v2.0 token-get
You can also set your --os-* variables in your environment to simplify command-line usage
export OS_USERNAME=admin export OS_PASSWORD=ADMIN_PASS export OS_TENANT_NAME=admin export OS_AUTH_URL=http://controller:35357/v2.0
Verify if the variables has been setted correctly, using
keystone command without --os option
$ keystone token-get
Verify that your admin account has authorization to perform administrative commands.
$ keystone user-list